NEW monthly billing options for both apps and reduced pricing package for Payments.
Learn More

Data Security and Compliance

Transparency builds trust. At Blackthorn, we do our best to manage expectations across all aspects of our business, and compliance is no exception. Here’s how Blackthorn addresses compliance with a number of federal or suggested legislations across all of our applications.

Website Accessibility

VPAT:  WCAG,  ADA, and 508 Standards

There are suggested standards around people with disabilities accessing websites, with varying levels of compliance. They’re listed by Web Content Accessibility Guidelines, Americans with Disabilities Act, 508 Standards, and they’re aggregated as the Voluntary Product Accessibility Template.

Blackthorn is AA compliant with its VPAT. The feature is accessed via the image below. To enable it, please contact our support team.

Download Blackthorn.io's VPAT here.

Credit Card PCI Compliance

PCI DSS: Payment Card Industry Data Security Standard

Every business aims to be “PCI-compliant”. This largely boils down to the handling of card numbers and CVV codes. Blackthorn has never stored card numbers or CVV codes on any version of our application. PCI compliance is much more involved than this, such as how tokenization occurs, if card numbers are encrypted or not stored at all (stored instead in the gateway, such as Stripe or Authorize.net), access to card data, etc. 

PCI standards have different tiers of compliance. Blackthorn is PCI SAQ D compliant. Here is Blackthorn’s complete Attestation of Compliance, signed by a third-party auditor.

Broken down more specifically, all of our interfaces, such as our Events checkout, PayLink, DocumentLink, and our Virtual Terminal, all perform client-side tokenization, which means that the card details are sent directly from the user’s browser to the gateway. The card details never hit the database (Salesforce). Only the tokenized form of the card is then stored, which is a PCI-compliant approach.

Fedramp Certification

Fedramp: For select US Government entities

Blackthorn provides customers with a managed package of objects that get uploaded and used inside of Salesforce accounts. Salesforce, which is Fedramp certified, is where all customer data and personally identifiable information is stored.  

Since Blackthorn stores no customer data anywhere, and all such data is stored in Salesforce, Blackthorn does not fall within FedRamp parameters. Blackthorn leverages Heroku, a Salesforce product, to surface event web pages like landing pages, registration pages, and calendars. We cache non-sensitive event data like event names, images, and dates on Heroku for fast loading and reduced queries.

Heroku is not FedRamp certified, but given the innocuous nature of the event data cached there (event name, date, location, etc.), FedRamp certification might not be of concern.

PII: GDPR and HIPAA

PII - Personally Identifiable Information is a modern term for any information about an individual, such as their email address or phone number, from which they can be personally identified. A number of sets of legislation that differ by country were created around the handling of PII.

GDPR - General Data Protection Regulation is a large set of policies that stem down to giving your end customers the right to be forgotten, either completely or on a selective basis, and of the handling of a customer’s PII. Blackthorn does not have a separate data store, all PII is stored in your own Salesforce environment. Management of customer data is managed by each organization we work with and not by Blackthorn, such as a customer asking to have their data removed. GDPR generally applies to European-based organizations and also to European-based customers.

HIPAA - Health Insurance Portability and Accountability Act compliance, in the context of Blackthorn, is similar to GDPR, in the customer data is only stored in your Salesforce environment. The handling of this data depends upon your organization’s policies.

Our Data Flows

Blackthorn data flows across Blackthorn Events and Blackthorn Payments

Most Important

Registration-only or events portal

EventLink

Our base package includes our event landing and registration page, complete with all information as applicable, available immediately by an auto-generated link.

Blackthorn | Customer Portal

Add on our portal where attendees can log in, see past and future events, receive dynamic pricing, password locked events, update their billing method, and more.

See Who We Work With

Visit Our Partners

Reports & Dashboards

Automated registrations

Native Salesforce reports allow you to report in real-time on invites, registrations, waitlists, attendee and sponsor financials, speaker commitments, marketing email metrics, and logistics.

Beautiful dashboards

Lightning-ready dashboards display a snapshot overview for all aspects of either a singular event, or across all or select events. Schedule the dashboards to be emailed on a daily or weekly basis.

For Admins

Say goodbye to code. Gain complete control over all aspect of your event by point-and-click. Registration pages can be created and modified in real-time by changing Salesforce fields.
Entirely native

All functionality within Blackthorn | Events will respect all Apex, Workflow Rules, and Process Builder configurations as all data is stored natively.

Packaged presets

Custom Settings, Workflow Rules, Reports, and Dashboards are all point-and-click configurable to provide granular control over the application.